Reflected XSS in SilverStripe
Moderate severity
GitHub Reviewed
Published
Feb 24, 2020
to the GitHub Advisory Database
•
Updated Feb 6, 2024
Package
Affected versions
>= 4.5.0, < 4.5.2
>= 4.0.0, < 4.4.5
Patched versions
4.5.2
4.4.5
Description
Published by the National Vulnerability Database
Feb 17, 2020
Reviewed
Feb 18, 2020
Published to the GitHub Advisory Database
Feb 24, 2020
Last updated
Feb 6, 2024
SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.
References